In the SSE CMM Framework: Monitor Security Posture /Monitor Security Safeguards.

• James P. Craft, CISSP
  USAID Information Systems Security Officer
  1300 Pennsylvania Ave., Suite 2.12-032
  Washington, DC 20523-2120
  Telephone: 202-712-5460
  Fax: 202-216-3053
  E-mail: jcraft@usaid.gov

Vendor Partner:

• William R. Cleveland
  USAID PRIME Security Program Manager
  Computer Sciences Corporation
  1100 Wilson Blvd., Suite 1100
  Rosslyn, VA 22209
  Telephone: 703-465-7054
  Fax: 703-465-7193
  E-mail: wclevela@csc.com or cassistance@usaid.gov

UNIX

This section provides a checklist designed to assess the UNIX operational security posture of an organization. Individual line items in the UNIX checklist that are checked "No" should be documented in the Justifications section of the checklist.

Windows NT

This section provides a checklist for configuring the security of an NT 4.0 system.

The checklist contains items relative to physical security, user account security, auditing and supervisor account security. Security configuration compliance with the checklist is considered as a minimum requirement and is mandatory for host systems connected to the organization's backbone and/or to the Internet. The security configurations included herein will also be used for any initial and follow-on system accreditation, security plans, and similar activities. This checklist is subject to change if any new system anomalies or vulnerabilities are identified.

Individual line items in the Windows NT checklist that are checked "No" should be documented in the Justifications section of the checklist.

Banyan

This section provides a checklist for configuring the security of a BANYAN VINES-based system.

The checklist contains items relative to the physical security, user account security, auditing and supervisor account security. Security configuration compliance with the checklist is considered as a minimum requirement and is mandatory for host systems connected to the organization's backbone and/or to the Internet. The security configurations included herein will also be used for any initial and follow-on system accreditation, security plans, and similar activities. This checklist is subject to change if any new system anomalies or vulnerabilities are identified. Personnel using this checklist are cautioned that, because there are several variants of the basic BANYAN VINES operating, additional configuration requirements may be necessary.

Individual line items in the Banyan checklist that are checked "No" should be documented in the justifications section of the checklist.

Microsoft Proxy Server

This section provides a checklist to assess the Microsoft Proxy Server operational security posture of an organization. Individual line items in the Microsoft Proxy Server checklist that are checked "No" should be documented in the Justifications section of the checklist.

Network Review (General Security Checklist)

This section provides a checklist to assess the physical, operational, and administrative security posture of an organization. Individual line items that are checked "No" should be documented in the Comments section.

• Section A.3.a.3 states: "Review of Security Controls. Review the security controls in each system when significant modifications are made to the system, but at least every three years. The scope and frequency of the review should be commensurate with the acceptable level of risk for the system. Depending on the potential risk and magnitude of harm that could occur, consider identifying a deficiency pursuant to OMB Circular No. A-123, "Management Accountability and Control" and the Federal Managers' Financial Integrity Act (FMFIA), if there is no assignment of security responsibility, no security plan, or no authorization to process for a system."

Subject: COMPUTER SECURITY TEAM VISIT

Source: David Bayer, USAID Peru Executive Office

If you have the opportunity to have the Information Systems Security Officer (ISSO) Jim Craft and his Risk Assessment Program Area Manager, Rodney Murphy, visit your Mission with their team of computer security experts, then take advantage of it. They did one hell of a job during their February visit with us at USAID/Peru in getting us up to speed and raising our level of consciousness about security issues. This is not to say that our dedicated IRM staff, led by Systems Manager, Lucho Figueroa, have not been working their hearts out to get us into shape, but it is a real injection of energy to have professional people like Jim, Rodney, John Zoble, Mike Reiter and Steve Bui come in and sit down to review your Computer Security Program and Computer Contingency Plan with you.

And last but not  least, they have given us some key advice and methods for closing out some computer security audit issues which are not only USAID/Peru exposures but endemic to all Missions worldwide.

Computer security is becoming an important issue in for USAID and all organizations. In this environment, new security standards and having a formal security program in each overseas Mission is very important.

1. Scanning tools and results (see Section 4.4)
2. Safeguards Configuration Checklists
• UNIX
• WINDOWS NT
• BANYAN VINES
• MICROSOFT PROXY SERVER
• NETWORK REVIEW (GENERAL SECURITY CHECKLIST)]
3. Safeguards Configuration Handbooks
• UNIX
• WINDOWS NT
• BANYAN VINES

Process

Step 1. Determine the operating system on each target system host(s).

Step 2. Determine the IP addresses associated with each operating system on the target system host(s).

Step 3. Run the tool appropriate for the system(s) being reviewed to determine where configuration problems exist. (see Tools Section 4.4)

Step 4. Document problems, evaluate and obtain patches/fixes.

Step 5. Conduct an on-site visit to the organizations whose system(s) is being verified.

• Use the appropriate Checklist to determine what configuration items should be verified.
• Use the appropriate Handbook to determine how to verify the configuration items and how to correct those which may create a vulnerability.

Step 6. Complete the Checklist as each item is verified/corrected. Items not found on the checklist should be analyzed and appropriate action taken. Items implemented as a result of the analysis should be submitted for addition to the OS checklist.

Step 7. Coordinate and document all changes with Application owners as well as the system administrators.

Step 8. Run the tool appropriate for the system being reviewed to determine that the configuration problems have been resolved. Document any remaining vulnerability.

Step 9. Prepare the Final Report and forward to the organization's ISSO, the reviewed system's owner, and other appropriate parties.

Time per System/Device:

• Preparation Time up-front: 2 - 4 hours identifying the current condition of the configuration and downloading the appropriate patches in preparation for the on-site activities.
• On-Site Time: 4 - 8 hours depending on the status of the device. Four hours to verify a previously configured device, and up to 8 hours to configure a newly installed device.
• Final Report Preparation Time: 4 hours; this includes the documentation of activities by the reviewer and also the transfer of the documentation by the report writer into the final report.

Performance Goal: To identify existing vulnerabilities, define and implement countermeasures, and verify solution effectiveness.

Outcome Goal: Known vulnerabilities will be resolved. Unresolved vulnerabilities will be documented for further analysis and resolution development.

Output goal: To achieve compliance with OMB A130 guidelines.

General Objective: To protect automated information systems against potential threats.

Performance Indicator: The results obtained from each system scan/evaluation will provide metrics for determining requirements for repetition interval.

• Security Administrator Tool for Analyzing Networks (SATAN)
• ISS Internet Scanner
• CyberCop Scanner for Windows NT
• Banyan NetPro Toolbox
• Hydra